Michael McNamara

technology, networking, virtualization and IP telephony

HP ProCurve 5400zl IP Routing – Management VLAN

by

I very recently had an interesting consulting engagement. The customer was using a SonicWALL firewall to do the routing for all their internal VLANs and wasn’t getting the throughput or performance that they were expecting from their HP 1Gbps network. I explained to the customer that they were routing internal traffic through the SonicWALL and if they didn’t have a need to isolate the VLANs using a firewall they should move the routing to their core HP 5400zl switch, thereby providing wire speed routing and switching within the internal network. In this configuration traffic would only hit the SonicWALL firewall when the packets were destined to the Internet or to a remote VPN location.

I made the various configuration changes on the HP 5400zl and oddly enough I couldn’t get routing to work. I had two laptops on opposite VLANs which couldn’t communicate with one and other. I could ping both laptops from the HP 5400zl switch but the switch didn’t appear to be routing the packets even though IP routing had been enabled.

I took to Google and quickly found a thread on the HPE Community website titled, Inter Vlan Layer 3 Routing on 5400. I quickly learned that the command “management-vlan 1” disables routing on that specific VLAN. I issued a “no management-vlan 1” and I could immediately ping between the two laptops without issue. After I little more research I found the following explanation.

Secure Management VLAN
Secure Management VLANs are designed to restrict management access to the switch to only those nodes connected to the Management VLAN. That is, only clients who are connected to ports who are members of the Secure Management VLAN can be allowed to gain management access to the ProCurve device. This sharply limits the universe of devices that can attempt unauthorized access.

Configuring a Management VLAN takes only one command:

ProCurve Switch(config)# management-vlan VLANID

Any VLAN can be assigned as the management VLAN. Take care to ensure that the same VLAN is configured as Management VLAN on all ProCurve switches that are to be members of the management VLAN.
There are a few restrictions on Secure Management VLANs worth noting:

  • Only one VLAN per switch can be identified as the Secure Management VLAN.
  • IP addresses must be assigned manually to the Secure Management VLAN. The switch will not allow the Management VLAN to acquire its address through DHCP/Bootp.
  • To maintain the secure nature of the management VLAN, only ProCurve switch ports that are connecting authorized management stations, or those extending the management VLAN to other ProCurve switches, should be members of the Management VLAN.
  • Internet Group Management Protocol (IGMP) is not supported on the Management VLAN.
  • Routing to or from the Secure Management VLAN is not permitted. Routing can be enabled on the switch and all other VLANs will be routable, but the Secure Management VLAN will remain isolated.

The customer did tell me that they had tried to add IP routing to the HP 5400zl in the past but could never get it to work properly. You can imagine my initial surprise when I too was temporarily stumped after configuring the IP addresses on the VLAN interfaces and enabling IP routing. Thankfully some quick research provided the solution.

Cheers!

HP 1/10GB Virtual Connect Interconnect Upgrade to 3.17

by

With these tough economic times many organizations are trying to make the most out of every dollar and that is especially true in healthcare. In my specific case this means re-utilizing existing equipment to help further the goals of the organization (if only temporarily) rather than burning a whole the size of Texas in the IT capital budget. So over the course of the last few weeks we’ve been preparing to re-light the original HP C7000 Enclosure that launched our foray into the virtual world some 20 months ago. The enclosure has since been shipped to a new data center where it was racked alongside quite a few other HP C7000 enclosures. While we had originally hope to keep all our VM enclosures standardized with HP’s Flex 10 Virtual Connect modules, we’ll be deploying this enclosure with HP’s 1/10GB Virtual Connect modules.

This was the first time I’ve ever run the HP Virtual Connect Support Utility so I wasn’t sure what to expect. There were 6 1/10GB Virtual Connect modules in this specific enclosure that needed to be upgraded. If you are utilizing NIC teaming and you have the modules/interconnects cabled in such a way that they are completely redundant then you should be able to upgrade without any downtime. I was able to maintain connectivity (Remote Desktop) to a HP BL460c while the upgrade was running and while the various modules/interconnects rebooted (one at a time). I could see the different NICs on the Microsoft Windows 2003 server go up and come down as the module/interconnect that fed that NIC was rebooted and then recovered. The NIC teaming configuration was the secret sauce that kept the server online and reachable while the utility upgraded the interconnects (one at a time).

You can see from the line of questions that HP put some thought into the upgrade process. The interactive utility will walk you through the upgrade asking you such questions as “Do you want to Specify VC-Enet module activation order?”, “Do you want to Specify the amount of time(in minutes) to wait between activating or rebooting VC-Enet modules?”, etc. In all it took some 35 minutes to upgrade all 6 VC Ethernet modules, the VC SAN modules didn’t require an upgrade.

-------------------------------------------------------------------------------
 HP BladeSystem c-Class Virtual Connect Support Utility
 Version 1.5.2 (Build 173)
 Build Date: Jan  6 2011 11:26:43
 Copyright (C) 2007-2010 Hewlett-Packard Development Company, L.P.
 All Rights Reserved
-------------------------------------------------------------------------------

Please enter action ("help" for list): help
===============================================================================
Action        Description
===============================================================================
update        Update the module firmware on the target enclosure using the specified Virtual Connect firmware package
-------------------------------------------------------------------------------
discover      Search a range of IP addresses for Onboard Administrators on the network
-------------------------------------------------------------------------------
collect       Collect diagnostic information from a target configuration
-------------------------------------------------------------------------------
configbackup  Download Virtual Connect configuration backup configuration file
-------------------------------------------------------------------------------
healthcheck   Check the configuration status of a target enclosure
-------------------------------------------------------------------------------
help          Display VCSU command help
-------------------------------------------------------------------------------
packageinfo   Display information for a given Virtual Connect firmware package file
-------------------------------------------------------------------------------
report        Display current module firmware versions, package firmware versions, and whether a module is updatable
-------------------------------------------------------------------------------
resetvcm      Reset the Virtual Connect Manager on the remote management configuration
-------------------------------------------------------------------------------
supportdump   Download Virtual Connect support information
-------------------------------------------------------------------------------
version       Display list of current module firmware versions on target configuration
-------------------------------------------------------------------------------
Please enter action: update
Please enter Onboard Administrator IP Address: 10.1.44.129
Please enter Onboard Administrator Username: Administrator
Please enter Onboard Administrator Password: ********
Please enter firmware package location: c:\vcfwall317.bin
Please enter Bay Number (Optional):
Please enter Configuration backup password (Optional):
Do you want to force an update on modules? (yes/NO):
Do you want to Specify VC-Enet module activation order? (yes/NO):
Do you want to Specify VC-FC module activation order? (yes/NO):
Do you want to Specify the amount of time(in minutes) to wait between activating or rebooting VC-Enet modules? (yes/NO):
Do you want to Specify the amount of time(in minutes) to wait between activating or rebooting VC-FC modules? (yes/NO):
Please enter the VCM Domain user credentials.
User Name: Administrator
Password: ********
The following modules will be updated:

==============================================================================
Enclosure   Bay  Module           Current Version       New Version
==============================================================================
USE839F82T  1    HP 1/10Gb-F      3.15                  3.17
                 VC-Enet Module   2010-10-09T07:18:16Z  2011-03-16T01:27:44Z
------------------------------------------------------------------------------
USE839F82T  2    HP 1/10Gb-F      3.15                  3.17
                 VC-Enet Module   2010-10-09T07:18:16Z  2011-03-16T01:27:44Z
------------------------------------------------------------------------------
USE839F82T  5    HP 1/10Gb-F      3.15                  3.17
                 VC-Enet Module   2010-10-09T07:18:16Z  2011-03-16T01:27:44Z
------------------------------------------------------------------------------
USE839F82T  6    HP 1/10Gb-F      3.15                  3.17
                 VC-Enet Module   2010-10-09T07:18:16Z  2011-03-16T01:27:44Z
------------------------------------------------------------------------------
USE839F82T  7    HP 1/10Gb-F      3.15                  3.17
                 VC-Enet Module   2010-10-09T07:18:16Z  2011-03-16T01:27:44Z
------------------------------------------------------------------------------
USE839F82T  8    HP 1/10Gb-F      3.15                  3.17
                 VC-Enet Module   2010-10-09T07:18:16Z  2011-03-16T01:27:44Z
------------------------------------------------------------------------------

The following modules will NOT be updated:

=====================================================================
Enclosure   Bay  Module           Current Version  Status
=====================================================================
USE839F82T  3    HP Virtual       1.41 7.12.4.11   No update needed
                 Connect 4Gb FC
                 Module
---------------------------------------------------------------------
USE839F82T  4    HP Virtual       1.41 7.12.4.11   No update needed
                 Connect 4Gb FC
                 Module
---------------------------------------------------------------------

During the update process, modules being updated will be temporarily
unavailable. In addition, the update process should NOT be interrupted by
removing or resetting modules, or by closing the application. Interrupting
the update or the modules being updated may cause the modules to not be updated
properly.

Please verify the above report before continuing.

Would you like to continue with this update? [YES/NO]: yes

Updating firmware [Step 2 of 3 : 0% complete]

Updating firmware [Step 2 of 3 : 50% complete]

Updating firmware [Step 3 of 3 : 0% complete]

Updating firmware [Step 3 of 3 : 50% complete]

The following modules were updated successfully:

=======================================================================
Enclosure   Bay  Module                     New Version
=======================================================================
USE839F82T  1    HP 1/10Gb-F VC-Enet        3.17 2011-03-16T01:27:44Z
                 Module
-----------------------------------------------------------------------
USE839F82T  2    HP 1/10Gb-F VC-Enet        3.17 2011-03-16T01:27:44Z
                 Module
-----------------------------------------------------------------------
USE839F82T  5    HP 1/10Gb-F VC-Enet        3.17 2011-03-16T01:27:44Z
                 Module
-----------------------------------------------------------------------
USE839F82T  6    HP 1/10Gb-F VC-Enet        3.17 2011-03-16T01:27:44Z
                 Module
-----------------------------------------------------------------------
USE839F82T  7    HP 1/10Gb-F VC-Enet        3.17 2011-03-16T01:27:44Z
                 Module
-----------------------------------------------------------------------
USE839F82T  8    HP 1/10Gb-F VC-Enet        3.17 2011-03-16T01:27:44Z
                 Module
-----------------------------------------------------------------------

Total execution time: 00:34:13
Press Return/Enter to exit...

I’m curious what other people’s experiences have been upgrading their Virtual Connect modules?

Cheers!

HP BL490c G6 Series Servers – Jumbo Frames

by

While troubleshooting some HP Virtual Connect Flex-10 issues today I came across the following customer advisory that states the on board (LOM) HP NC532i Dual Port 10GbE Multifunction BL-c Adapter that we have in our HP BL490c G6 series servers only supports a maximum frame size of 4088 bytes not the standard ~ 9000 bytes that I had previously thought they were capable of. Worse yet the HP drivers will let you set the MTU to 9014 bytes even though it won’t work.

HP ProLiant Networking Software Version 9.65 incorrectly allows setting a Maximum Frame Size of 9014 bytes (9KB Jumbo Frames); however, the NIC does not support a Maximum Frame Size greater than 4088 bytes.

HP ProLiant Networking Software Version 9.70 (or later) properly limits the Maximum Frame Size setting to 4088 bytes on the affected adapters.

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01995738&lang=en&cc=us&taskId=101&prodSeriesId=3884113&prodTypeId=15351

The advisory seems to indicate that this is a hardware issue but I’m curious if anyone else has run into this?

Cheers!

 

 

New Data Center – Tidbits

by

I thought I would follow-up my last post with some additional tidbits and background on the data center build.

Let me start by saying that we haven’t abandoned Nortel/Avaya as a viable network electronics vendor. When we first started this effort back in January 2009 we initially looked at Brocade, Cisco, HP, Juniper and Nortel. After the initial cut we were left with Brocade, Cisco and Nortel/Avaya. When the final decision was made, back in November 2009, there was still a lot of concern about Avaya’s purchase of Nortel’s Enterprise Division so the decision really came down to Brocade or Cisco. Ultimately the decision was made to go with Cisco. As I commented in the previous post we still have well over 33,000 ports on Nortel/Avaya switches and less than 1,000 ports on Cisco switches. We are still purchasing and installing/deploying Nortel/Avaya switches in our hospitals and business offices .

Nexus 5010 Virtual PortChannel bug?

I’ve been known to tell people that we’re a partner with Nortel/Avaya because of the number of bugs that we identify and help to resolve.  Well if I thought it was going to be any different with Cisco I can throw that idea right out the window as we have identified a bug in the vPC code for the Nexus 5000 switch. We discovered the issue with a pair of Nexus 5010 switches when one of the switches up and died (hardware failure). While trying to troubleshoot the problem we restarted the remaining Nexus 5010 switch only to find that the remaining Nexus 5010 would no longer adopt the Nexus 2148 switches/FEXes after it was rebooted if the peer Nexus 5010 wasn’t online. If we removed the vpc configuration from the portchannel then the FEX would come online. After speaking with Cisco they have created bug CSCth01969 which is supposedly going to be addressed in the next software release.

HP Virtual Connect Flex-10/NIC issues/ESX 4.0 Update 1 Drivers

We also ran into a number of issues with the HP BL490c blades and HP Virtual Connect Flex-10 Interconnect. On a number of blades we had an issue where the ESX installer was unable to locate any network interfaces. The installer would error with something like “The script 32.networking-drivers failed to execute and the installation can not continue.” The solution was to re-apply the NIC firmware after the Virtual Connect profile had been applied to the server. You can find additional detail over at Brian’s blog if interested.

We also ran into another issue when performing our redundancy and high-availability testing. We configured Virtual Connect to use SmartLink, however, when we unplugged the uplinks from the B side interconnect the Virtual Connect Flex-10 interconnect didn’t disable the server side NICs. The solution to this problem was to update the NIC driver that shipped with ESX 4.0 Update 1. You can find the driver here.

Lots of additional stories to come including a comparison of vPC and SMLT.

Cheers!

LACP Configuration Examples (Part 3)

by

In part 3 of this series I’ll provide a relatively simple example of a LACP LAG between a HP GbE2c L2/L3 switch and two Nortel switches, we’ll terminate two different LAGs on the two ERS 8600 switches using Nortel’s proprietary SMLT (Split MultiLink Trunking) technology.

Example 2 – Ethernet Routing Switch 8600 to a set of HP GbE2c L2/L3 switches using LACP trunks with SMLT

As I said before a picture is worth a thousand words and can be very helpful in designing any network topology.

lacp-example3

I’m going to skip the configuration of the two Nortel Ethernet Routing Switch 8600s since you can refer to the earlier post for an example of how to configure them. In this design we need to disable the virtual cross connect that exists between the A and B sides of the two HP GbE2c switches. Please note that I’m working with the HP GbE2c (C-Class enclosure) not the GbE2 (P-Class enclosure). There are some slight differences between the two. The virtual trunk ports between the A and B sides are on ports 17 and 18 so those ports need to be disabled in order to prevent a loop.

HP-GbE2c-A / HP-GbE2c-B
/c/port 17/dis
/c/port 18/dis

With the virtual trunk cross connects disabled we can now wire each switch independently to the upstream switch(s) which in this case happens to be two ERS 8600s. As is usual for me I’ll create a network management VLAN and place the IP interface of each GbE2c switch in that VLAN (VLAN 200).

HP-GbE2c-A / HP-GbE2c-B
/c/l2/vlan 200
/c/l2/vlan 200/ena
/c/l2/vlan 200/name "10-101-255-0/24"

Let’s add VLAN 200 to the two ports, 21 and 22, that we’ll be using to uplink to the 8600 switches. We haven’t yet enabled tagging so the switch will ask you if you’d like to change the PVID from VLAN 1 (default) to VLAN 200, you can safely answer yes to this question.

HP-GbE2c-A / HP-GbE2c-B
/c/l2/vlan 200/add 21
/c/l2/vlan 200/add 22

Let’s enable tagging on both uplink ports along with RMON and set the PVID just to be safe;

HP-GbE2c-A / HP-GbE2c-B
/c/port 21/tag ena
/c/port 21/pvid 200
/c/port 21/rmon e
/c/port 22/tag ena
/c/port 22/pvid 200
/c/port 22/rmon e

Let’s turn off Spanning Tree on the uplinks, we only want Spanning Tree local to the switch since SMLT will take care of providing the loop free topology.

HP-GbE2c-A / HP-GbE2c-B
/c/l2/stp 1/port 21/off
/c/l2/stp 1/port 22/off

Now it’s time to configure LACP and create the LAG (Link Aggregation Group). We’ll using LACP key 50 but you could use any admin key (number) so long as both ports are configured with the same admin key.

HP-GbE2c-A / HP-GbE2c-B
/c/l2/lacp/port 21/mode active
/c/l2/lacp/port 21/adminkey 50
/c/l2/lacp/port 22/mode active
/c/l2/lacp/port 22/adminkey 50

Here’s the special sauce that will work in combination with the NIC teaming software to fail over in the event of an upstream switch problem or an uplink problem where the GbE2c continues to function but there’s a problem upstream. This configuration will cause the GbE2c switch to disable (admin-down) the server switch ports in the event that the LACP group goes down. This will cause the NIC teaming configuration on the servers to fail-over to the standby NIC.

HP-GbE2c-A / HP-GbE2c-B
/c/ufd/on
/c/ufd/fdp/ltm/addkey 50
/c/ufd/fdp/ltd/addport  1
/c/ufd/fdp/ltd/addport  2
/c/ufd/fdp/ltd/addport  3
/c/ufd/fdp/ltd/addport  4
/c/ufd/fdp/ltd/addport  5
/c/ufd/fdp/ltd/addport  6
/c/ufd/fdp/ltd/addport  7
/c/ufd/fdp/ltd/addport  8
/c/ufd/fdp/ltd/addport  9
/c/ufd/fdp/ltd/addport 10
/c/ufd/fdp/ltd/addport 11
/c/ufd/fdp/ltd/addport 12
/c/ufd/fdp/ltd/addport 13
/c/ufd/fdp/ltd/addport 14
/c/ufd/fdp/ltd/addport 15
/c/ufd/fdp/ltd/addport 16

If you haven’t already let’s configure an IP address (for management) on VLAN 200;

HP-GbE2c-A
/c/l3/if 1/ena
/c/l3/if 1/addr 10.1.255.128
/c/l3/if 1/mask 255.255.255.0
/c/l3/if 1/broad 10.1.255.255
/c/l3/if 1/vlan 200

We need to use a different IP address for the B side switch on VLAN 200;

HP-GbE2c-B
/c/l3/if 1/ena
/c/l3/if 1/addr 10.1.255.129
/c/l3/if 1/mask 255.255.255.0
/c/l3/if 1/broad 10.1.255.255
/c/l3/if 1/vlan 200

As mentioned by a few other folks on this blog and in the forums this solution only provides an active/passive solution in terms of the NIC teaming configuration. This is because the GbE2c L2/L3 switches don’t support IST/SMLT technology. While this will only provide 1Gbps of bandwidth (2Gbps if you count full duplex) between the blade server and the network it will provide significant level of redundancy and high-availability. In this design the network is protected from a GbE2c switch failure, a Nortel Ethernet Routing Switch 8600 failure, and multiple uplink/downlink failures.

Please feel free to post comments and questions here about this post. Questions regarding specific configurations can be posted in the forums; http://forums.networkinfrastructure.info/nortel-ethernet-switching/

Cheers!

Recent Posts

Categories

SUBSCRIBE BY EMAIL